How To Protect Your Data From Attack

Similar documents
Web Applica+on Security: Be Offensive! About Me

Bust a cap in a web app with OWASP ZAP

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Together. Dan Cornell. CTO, Denim

Development Testing for Agile Environments

Interactive Application Security Testing (IAST)

The AppSec How-To: Achieving Security in DevOps

Integrating Web Application Security into the IT Curriculum

Ciklum Solutions Quality Assurance Solutions Unit Security QA Services reference

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

OWASP Top Ten Tools and Tactics

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

The AppSec How-To: 10 Steps to Secure Agile Development

Adobe Systems Incorporated

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Learning objectives for today s session

Security Assessment of Waratek AppSecurity for Java. Executive Summary

Agile Security Successful Application Security Testing for Agile Development

! Resident of Kauai, Hawaii

WebGoat for testing your Application Security tools

Managing Your Application Security Program with the ThreadFix Ecosystem!! Dan

SECURITY AND RISK MANAGEMENT

SAST, DAST and Vulnerability Assessments, = 4

Streamlining Application Vulnerability Management: Communication Between Development and Security Teams

Secure Code Development

The Top Web Application Attacks: Are you vulnerable?

Security Testing for Developers using OWASP ZAP

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

OpenSAMM Software Assurance Maturity Model

Rolling out an Effective Application Security Assessment Program. Jason Taylor, CTO

Building Security into the Software Life Cycle

Vulnerability Management in an Application Security World. AppSec DC November 12 th, The OWASP Foundation

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Integrating Application Security into the Mobile Software Development Lifecycle. WhiteHat Security Paper

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Application Security Testing How to find software vulnerabilities before you ship or procure code

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Starting your Software Security Assurance Program. May 21, 2015 ITARC, Stockholm, Sweden

Secure Development Lifecycle. Eoin Keary & Jim Manico

DevOps to Enterprise Agile

HP Fortify application security

Beyond ISO Intel's Product Security Maturity Model (PSMM)

Web application testing

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Secure Development LifeCycles (SDLC)

Cloud Application Security Assessment, Guerrilla Style

Building Security Into The Software Life Cycle

Automatic vs. Manual Code Analysis

Braindumps.C questions

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code

Paul Barham Program Manager - Java. David Staheli (dastahel@microsoft.com) Software Development Manager - Java

IBM Rational AppScan: Application security and risk management

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Agile and Secure Can We Be Both? Chicago OWASP. June 20 th, 2007

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

IBM Innovate AppScan: Introducin g Security, a first. Bobby Walters Consultant, ATSC bwalters@atsc.com Application Security & Compliance

Security Automation in Agile SDLC Real World Cases

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

(WAPT) Web Application Penetration Testing

Software Development: The Next Security Frontier

AGIL JA, ABER SICHER? , ANDREAS FALK, 34. SCRUM TISCH

Application Security Testing

Web Application Security: Exercise Development Approaches

Continuous Delivery and Risk Management

Mobile Application Security Study

Penetration Testing in Romania

Hosts HARDENING WINDOWS NETWORKS TRAINING

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

From the Bottom to the Top: The Evolution of Application Monitoring

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

1000 Projects later. Security Code Scans at SAP

June 2014 WMLUG Meeting Kali Linux

Software Development In the Cloud Cloud management and ALM

NSFOCUS Web Vulnerability Scanning System

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Improving the Adoption of Dynamic Web Security Vulnerability Scanners

Leveraging OWASP to Reduce Web App Data Breach Risk

Mobile Development with Git, Gerrit & Jenkins

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

Web Application Security

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Transcription:

Integrating Vulnerability Scanning into the SDLC Eric Johnson JavaOne Conference 10/26/2015 1

Eric Johnson (@emjohn20) Senior Security Consultant Certified SANS Instructor Certifications CISSP, GWAPT, GSSP- Java, GSSP-.NET Contact Info eric.johnson@cypressdefense.com 2

Agenda Case Study Secure Development Lifecycle Continuous Integration Continuous Delivery Demo Questions 3

Case Study #1 Company A provides a video sharing service Over 1 billion users per month 4

Case Study #1 Client- side AJAX request Web service endpoint deletes any event with a valid session token: POST https://companya.com/live_events_edit_status_ajax? action_delete_live_event=1 event_id: ANY_EVENT_ID session_token: SESSION_TOKEN 5

Case Study #1 YouTube Bug bounty program paid $5,000 I fought the urge to clean up Justin Bieber's channel - Kamil Hismatullin 6

Case Study #2 Company B Social media web site with over 380 million users 7

Case Study #2 Company B has a request vulnerable to SQL injection Example request: POST https://companyb.com/search searchterm= OR 1=1; UPDATE Users SET IsAdmin = 1 WHERE UserName = Milton ; -- 8

Case Study #2 An automated SQL injection tool (sqlmap) is used to extract the database User table contains 6.5 million password hashes Investigation reveals SHA1 hashes are unsalted 9

Case Study #2 LinkedIn 4 million SHA1 hashes reversed The enhanced security we just recently put in place includes hashing and salting of our current password databases. We sincerely apologize for the inconvenience this has caused our members. Vincent Silveira, LinkedIn 10

And the list goes on.. 11

The Root Cause Silos / politics between enterprise groups Leaving security until the very end Legacy applications Fear of breaking production code Slow deployment cycles leave vulnerability windows open 12

Securing the Development Lifecycle Security is baked into all phases of development * Gary McGraw Touchpoint Model 13

Meet Your Security Team Security is everyone s job: Developers Quality Assurance Operations Security Team Management C- Level Executives 14

Iteration Zero Assign a security expert to the project team Define the security requirements Privacy assessment Attack surface analysis Threat modeling 15

Security Testing in Development Percentage of development teams performing security testing: 21.6% Perform Security Testing 78.4% Not Security Testing *2015 SANS Application Security Survey 16

The Sprint Agile & DevOps move too fast for traditional security processes Security must adapt using incremental / automated testing Continuous Integration Continuous Delivery 17

Continuous Integration Check- in triggers automated tests Provides fast feedback to developers (minutes) Security has a limited role: Security- specific unit testing Authentication, user management, password, access control, validation Developer driven static / dynamic analysis Dangerous function calls, OWASP Top 10 Rules sets must produce very few false positives 18

Continuous Integration Tools Jenkins Static Analysis Plugins Find Security Bugs, Checkstlye, OWASP Dependency Check Find Security Bugs Eclipse Security Testing Plug- in 19

Find Security Bugs Written by Philippe Arteau (@h3xstream) FindBugs plug- in with 67 security- specific rules OWASP TOP 10, SANS CWE Top 25 http://h3xstream.github.io/find- sec- bugs/ WebGoat Scan 15 security issues found out of the box 101 security issues found with FSB installed 20

Eclipse Security Testing Plug- in Written by Gregory Leonard (@appsecgreg) [CON5653] Managing 3 rd Party Security Risks Wednesday @ 3:00 PM Integrates dynamic scanning into the IDE Currently supports: ZED Attack Proxy (ZAP) spider and active scan 21

Continuous Delivery Code changes are pushed into the automated deployment pipeline (test, staging, prod) Required security checkpoints: Automated dynamic testing Deep static analysis Pass / fail criteria determine if the build fails 22

Continuous Delivery Frameworks Security- specific testing: Yahoo Gryffin https://github.com/yahoo/gryffin http://bit.ly/1lqqlgj Mozilla Minion https://wiki.mozilla.org/security/projects/minion Gauntlt http://gauntlt.org/ 23

The Sprint Retrospective Security issues # of security issues identified vs. # remediated? Schedule external assessments Security- specific source code reviews Penetration testing Feed security issues to the backlog / defect tracking systems If needed, scheduled a hardening sprint 24

The Benefits Scans occurs as code is written Consistent and repeatable process Incremental security testing Release more secure code to production 25

Demo! Demo! Demo! Find Security Bugs Eclipse Security Testing 26

Future enhancements: Add to Eclipse Marketplace Additional IDE / build support Visual Studio, Maven, Ant, TFS Provide additional scanner support Burp Suite, w3af, Arachni Limitations Eclipse Dynamic Security Testing ZAP REST API (session state not enabled) 27

Thanks for attending! Questions? Contact Info Twitter: @emjohn20 Email: eric.johnson@cypressdefense.com 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information